13:13 Sun, 10 Oct 2004 PDT -0700

Fixing ptrace(pt_deny_attach, ...)

NOTE: For information on Mac OS X Tiger, refer to this article.

In Mac OS X, Apple introduced an additional, non-standard request type to the ptrace() system call - PT_DENY_ATTACH. While an understandable addition, especially in terms of providing plausible defense for their DRM applications, PT_DENY_ATTACH has come to be used by a number of third party developers in an attempt to provide further copy protection.

This is unfortunate for those of us with a genuine need to attach a debugger; There are several circumstances when this ability is necessary, including working with libSystem, writing a runtime patch with APE, writing a kext, writing an input manager, or software auditing.

There are several possible ways to work around this behavior; breaking on ptrace(2) in gdb, recompiling your kernel, or writing a kext. I choose to write a kext that hooks ptrace(2).

Click here to read more ...

[/code/macosx] permanent link